Hacking puts Haley administration to the test

Questions focus on whether enough was done; governor says she will protect residents

Oct. 27, 2012

Gov. Nikki Haley along with State Law Enforcement Division Chief Mark Keel, left, and South Carolina Department of Revenue Director James Etter address a security breach in Department of Revenue information at the State Law Enforcement Division offices in Columbia on Friday, October 26, 2012 / Heidi Heilbrunn/Staff

Written by

Capital Bureau

WHAT YOUCAN DO

South Carolina residents who call 1-866-578-5422 are now being given the activation code SCDOR123 that can be used to sign up for free credit monitoring at www.protectmyid.com/scdor. The message also notes that residents whose data was not affected will be given the option to pay for credit monitoring.

More

ADVERTISEMENT

COLUMBIA — As investigators assess damage from the hacking of the state computer system and South Carolina residents spend days of uncertainty, a central question is whether officials did all they could to protect sensitive information.

At a press conference on Friday to publicly reveal the breach, Gov. Nikki Haley pressed the themes of anger at the hacker, determination to catch him, steps to protect residents from further harm, and the sense that any computer system is vulnerable.

She demurred when asked if she was holding anyone within her administration responsible, after declarations following an earlier breach of a state computer system that heads would roll if there was another.

An outside expert hired by her administration to investigate the extent of this breach, which exposed 3.6 million Social Security numbers and 387,000 credit and debit card numbers, quoted FBI Director Robert Mueller: “There are two kinds of firms — those that have been hacked and those that will be.”

Another expert interviewed by GreenvilleOnline.com, however, said government agencies employ outdated thinking in steps they take to protect residents from harm.

In the days ahead, the unprecedented and costly breach likely will emerge as a political and governing test of the Haley administration.

It’s yet unclear how high the tide of public anger will rise. For the moment, residents are struggling to follow Haley’s urging to call a toll-free number to enroll in credit protection paid for by taxpayers — a system that initially was swamped and rendered ineffective by the sheer wave of callers.

The chairman of the state’s Democratic Party, Dick Harpootlian, has delivered a blunt assessment of the governor.

“If she were the CEO of a company that had a third of its data hacked, especially after all the public warnings of the danger of hackers, she would be fired,” said Harpootlian. “Too bad she has two more years on her contract.”

“Just because Dick Harpootlian decided it was appropriate to try and turn a criminal attack on South Carolina into a partisan political issue doesn’t mean we’ll respond in kind. Our focus will remain on making sure the people of our state have the protection they deserve,” he said.

That returns to the question of whether residents had the protection they deserved before a foreign hacker cracked into the Department of Revenue’s system.

'Unprecedented' hacking

Officials have so far declined to release many details about the investigation of the theft, the hacker, or how it occurred.

They argue, however, that any system is a possible victim.

“I don’t think any of us are safe that are connected to computers and are connected to the Internet,” State Law Enforcement Division Chief Mark Keel told reporters for GreenvilleOnline.com and WLTX television in Columbia.

“It’s evolving technologies. You would hope there would be some security that could be put into place that you wouldn’t have to worry about this. But it is the state of affairs that we live in today. I don’t think any of us can make the claim that we can do something to make our systems completely safe.”

Marshall Heilman, director of Mandiant, a computer security firm hired by the Haley administration’s Department of Revenue to assist in the investigation and to fix any security holes, agreed.

“Security is an evolving process,” he said. “There is no organization out there that can claim to be completely secure. If you have a computer connected to the Internet, it is possible to break in.”

Haley called the hacking “unprecedented” and rejected any notion that the state should have been better prepared because of the April breach of Medicare and Medicaid records belonging to nearly 230,000 residents. A state employee has been charged.

“This is totally different,” she said. “This is an international attack that did not come from the inside.”

The governor took steps after that breach at the Department of Health and Human Services to improve security at her cabinet agencies, asking State Inspector General Patrick Maley to review the security for confidential information at each and make recommendations.

(Page 3 of 4)

Maley found the systems of those he reviewed, including the Revenue Department, basically sound. Even as he was giving Haley that assessment, the agency’s computers had already been hacked – though that wouldn’t be known for another month.

Maley told GreenvilleOnline.com that a hacker can get into any system with enough motivation.

“I can assure you, if somebody wants to get into your system, they can get into your system,” he said. “The question is how much time, energy and commitment do they have and how hard are you going to make it for them to minimize that risk? There is no riskless system.”

Different strategies

Tom Kellermann agrees with that statement but says government agencies are still looking at security the way they did 10 years ago.

Kellermann is vice president of cyber security for Trend Micro, an international computer security firm. He’s served as a commissioner on a presidential commission on cyber security and serves on the board of the National Cyber Security Alliance, the International Cyber Security Protection Alliance, and the National Board of Information Security Examiners Panel for Penetration Testing.

Kellermann said firewalls, encryption and virus scans, all longtime basics of computer protection, are not so relevant anymore in a world where someone can buy an intrusion kit without any deep computer background and launch attacks.

“They’re leveraging cyber weaponry against an organization that usually hasn’t been seen before,” he said. “And they’re leveraging attacks that are facilitated through web or mobile devices, which allow them to create beachheads in the system and then move laterally or go deeper within these systems.”

Kellermann said government agencies are targeted not just because hackers want to steal personal information or financial records but also because so many people trust government computers. That trust, he said, makes it easier to spread from agency servers to many other computers.

Modern hacking threats require modern defense thinking, he said, and moving away from the belief of a decade ago that agencies can always build a supreme defense that can’t be penetrated.

(Page 4 of 4)

“I think the paradigm you should use is how do you build a better prison rather than how do you build a better castle,” he said. “How do you make sure that it’s more difficult for an intruder to get out with the information? What I’m saying is how do I increase the level of discomfort with an intruder so they don’t want to maintain the resources necessary to maintain persistence.”

Kellermann said while firewalls and encryption are useful, computer systems have to evolve just as the underground hackers have evolved.

The top five gaps in cyber security for organizations, he said, are the use of passwords to authenticate; a lack of managing threats via mobile devices, such as smart phones; inadequate detection of lateral intrusions; lack of monitoring of file integrity, and a lack of virtual shielding.

A system, he said, might have holes that can eventually be patched once a software maker has sent out fixes.

“Those critical holes can be patched immediately through virtual shields so you don’t have that delay of weeks or months it takes to manifest patches,” he said. “During that time, your organization is naked.”

He said organizations also should be using what is called “custom sandboxing,” which sends suspected threats into an environment that can be studied to determine the behavior of the threat.

“You look at something inside of the system and you worry about whether it is the enemy or not,” he said. “So you throw it in this sandbox environment where it can’t do any damage to see what it does.”

Such technologies, he said, change the idea of protection from preventing intrusions to identifying intrusions, determining what the intruders are doing and who is controlling them.

He also said he sees too many agencies where chief security officers do not have the same level of authority as chief information officers, a mistake when the focus is not so much building systems but sustaining and protecting them.

“Right now you have an offensive coordinator who is the boss of the defensive coordinator,” he said. “And that is the governance problem that exists.”

He said agencies need to shift their thinking and to consider where the threats are coming from.

“If anything, 2012 is the year that we need to begin to pay attention to our own security and what’s going on in our own backyards but also what’s going on in the park across the street,” he said. “The U.S. is being targeted not just by nation-states anymore but by organized crime.”

South Carolina government is operating myriad computer systems without any mandatory standards, Maley said.

He said while the state’s information technology office recommends standards for security and other issues, it can’t make agencies use them. And there are 100 agencies, universities, boards and commissions using computers, many with their own systems, security, computer managers and policies.

He said not having mandatory uniform standards complicates protecting the state’s computers and the information inside of them.